diff options
author | Patrick McHardy <kaber@trash.net> | 2013-08-27 02:50:13 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-27 18:27:44 -0400 |
commit | 0198230b7705eb2386e53778d944e307eef0cc71 (patch) | |
tree | 0f1a970873df8a3dd3c1111020b6555e8f8d0518 /net/ipv4 | |
parent | 41d73ec053d2424599c4ed8452b889374d523ade (diff) |
net: syncookies: export cookie_v4_init_sequence/cookie_v4_check
Extract the local TCP stack independant parts of tcp_v4_init_sequence()
and cookie_v4_check() and export them for use by the upcoming SYNPROXY
target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: David S. Miller <davem@davemloft.net>
Tested-by: Martin Topholm <mph@one.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/syncookies.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index b05c96e7af8b..14a15c49129d 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c | |||
@@ -160,26 +160,33 @@ static __u16 const msstab[] = { | |||
160 | * Generate a syncookie. mssp points to the mss, which is returned | 160 | * Generate a syncookie. mssp points to the mss, which is returned |
161 | * rounded down to the value encoded in the cookie. | 161 | * rounded down to the value encoded in the cookie. |
162 | */ | 162 | */ |
163 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | 163 | u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th, |
164 | u16 *mssp) | ||
164 | { | 165 | { |
165 | const struct iphdr *iph = ip_hdr(skb); | ||
166 | const struct tcphdr *th = tcp_hdr(skb); | ||
167 | int mssind; | 166 | int mssind; |
168 | const __u16 mss = *mssp; | 167 | const __u16 mss = *mssp; |
169 | 168 | ||
170 | tcp_synq_overflow(sk); | ||
171 | |||
172 | for (mssind = ARRAY_SIZE(msstab) - 1; mssind ; mssind--) | 169 | for (mssind = ARRAY_SIZE(msstab) - 1; mssind ; mssind--) |
173 | if (mss >= msstab[mssind]) | 170 | if (mss >= msstab[mssind]) |
174 | break; | 171 | break; |
175 | *mssp = msstab[mssind]; | 172 | *mssp = msstab[mssind]; |
176 | 173 | ||
177 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT); | ||
178 | |||
179 | return secure_tcp_syn_cookie(iph->saddr, iph->daddr, | 174 | return secure_tcp_syn_cookie(iph->saddr, iph->daddr, |
180 | th->source, th->dest, ntohl(th->seq), | 175 | th->source, th->dest, ntohl(th->seq), |
181 | jiffies / (HZ * 60), mssind); | 176 | jiffies / (HZ * 60), mssind); |
182 | } | 177 | } |
178 | EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence); | ||
179 | |||
180 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | ||
181 | { | ||
182 | const struct iphdr *iph = ip_hdr(skb); | ||
183 | const struct tcphdr *th = tcp_hdr(skb); | ||
184 | |||
185 | tcp_synq_overflow(sk); | ||
186 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT); | ||
187 | |||
188 | return __cookie_v4_init_sequence(iph, th, mssp); | ||
189 | } | ||
183 | 190 | ||
184 | /* | 191 | /* |
185 | * This (misnamed) value is the age of syncookie which is permitted. | 192 | * This (misnamed) value is the age of syncookie which is permitted. |
@@ -192,10 +199,9 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | |||
192 | * Check if a ack sequence number is a valid syncookie. | 199 | * Check if a ack sequence number is a valid syncookie. |
193 | * Return the decoded mss if it is, or 0 if not. | 200 | * Return the decoded mss if it is, or 0 if not. |
194 | */ | 201 | */ |
195 | static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | 202 | int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th, |
203 | u32 cookie) | ||
196 | { | 204 | { |
197 | const struct iphdr *iph = ip_hdr(skb); | ||
198 | const struct tcphdr *th = tcp_hdr(skb); | ||
199 | __u32 seq = ntohl(th->seq) - 1; | 205 | __u32 seq = ntohl(th->seq) - 1; |
200 | __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr, | 206 | __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr, |
201 | th->source, th->dest, seq, | 207 | th->source, th->dest, seq, |
@@ -204,6 +210,7 @@ static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | |||
204 | 210 | ||
205 | return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; | 211 | return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; |
206 | } | 212 | } |
213 | EXPORT_SYMBOL_GPL(__cookie_v4_check); | ||
207 | 214 | ||
208 | static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb, | 215 | static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb, |
209 | struct request_sock *req, | 216 | struct request_sock *req, |
@@ -284,7 +291,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
284 | goto out; | 291 | goto out; |
285 | 292 | ||
286 | if (tcp_synq_no_recent_overflow(sk) || | 293 | if (tcp_synq_no_recent_overflow(sk) || |
287 | (mss = cookie_check(skb, cookie)) == 0) { | 294 | (mss = __cookie_v4_check(ip_hdr(skb), th, cookie)) == 0) { |
288 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); | 295 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); |
289 | goto out; | 296 | goto out; |
290 | } | 297 | } |